-
Notifications
You must be signed in to change notification settings - Fork 333
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2664 from splunk/SRS_AD_PrivEsc
Adding AD Privilege Escalation SRS Detections
- Loading branch information
Showing
15 changed files
with
1,398 additions
and
0 deletions.
There are no files selected for viewing
72 changes: 72 additions & 0 deletions
72
dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
name: Windows Default Group Policy Object Modified with GPME | ||
id: bcb55c13-067b-4648-98f3-627010f72520 | ||
version: 1 | ||
date: '2023-05-02' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic identifies the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain | ||
two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. | ||
The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group | ||
policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. | ||
data_source: | ||
- Windows Security 4688 | ||
search: | ||
selection1: | ||
process.file.name: | ||
- mmc.exe | ||
process.cmd_line|contains: gpme.msc | ||
selection2: | ||
process.cmd_line|contains: 31B2F340-016D-11D2-945F-00C04FB984F9 | ||
selection3: | ||
process.cmd_line|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9 | ||
condition: selection1 or selection2 or selection3 | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the process name, parent process, and command-line executions from your | ||
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the | ||
Sysmon TA. | ||
known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. | ||
references: | ||
- https://attack.mitre.org/techniques/T1484/ | ||
- https://attack.mitre.org/techniques/T1484/001 | ||
- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ | ||
- https://adsecurity.org/?p=2716 | ||
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) | ||
tags: | ||
analytic_story: | ||
- Active Directory Privilege Escalation | ||
asset_type: Endpoint | ||
confidence: 50 | ||
impact: 100 | ||
message: A default group policy object was opened with Group Policy Manage Editor on $dest$ | ||
mitre_attack_id: | ||
- T1484 | ||
- T1484.001 | ||
observable: | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: parent_process_name | ||
type: Process | ||
role: | ||
- Parent Process | ||
- name: process_name | ||
type: Process | ||
role: | ||
- Child Process | ||
product: | ||
- Splunk Behavioral Analytics | ||
required_fields: | ||
- process_name | ||
- _time | ||
- dest_device_id | ||
- dest_user_id | ||
- process | ||
risk_score: 50 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log | ||
source: XmlWinEventLog |
64 changes: 64 additions & 0 deletions
64
dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Windows File Share Discovery With Powerview | ||
id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 | ||
version: 1 | ||
date: '2023-05-02' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all | ||
active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information | ||
like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them | ||
for Privilege Escalation or Lateral Movement. | ||
data_source: | ||
- Powershell 4104 | ||
search: | ||
selection1: | ||
process.cmd_line|re: 'invoke-sharefinder' | ||
condition: selection1 | ||
how_to_implement: To successfully implement this analytic, you will need to enable | ||
PowerShell Script Block Logging on some or all endpoints. Additional setup here | ||
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. | ||
known_false_positives: Unknown | ||
references: | ||
- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 | ||
- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ | ||
- https://attack.mitre.org/techniques/T1135/ | ||
tags: | ||
analytic_story: | ||
- Active Directory Privilege Escalation | ||
asset_type: Endpoint | ||
confidence: 80 | ||
impact: 60 | ||
message: Invoke-ShareFinder commandlet was executed on $Computer$ | ||
mitre_attack_id: | ||
- T1552 | ||
- T1552.006 | ||
observable: | ||
- name: Computer | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: UserID | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Behavioral Analytics | ||
required_fields: | ||
- _time | ||
- EventCode | ||
- ScriptBlockText | ||
- Opcode | ||
- Computer | ||
- UserID | ||
kill_chain_phases: | ||
- Exploitation | ||
risk_score: 48 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log | ||
source: XmlWinEventLog | ||
sourcetype: XmlWinEventLog | ||
update_timestamp: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
name: Windows Findstr GPP Discovery | ||
id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 | ||
version: 1 | ||
date: '2023-05-02' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). | ||
GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. | ||
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). | ||
While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. | ||
data_source: | ||
- Windows Security 4688 | ||
search: | ||
selection1: | ||
process.file.name: | ||
- findstr.exe | ||
process.cmd_line|contains: sysvol | ||
process.cmd_line|contains: cpassword | ||
condition: selection1 | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the process name, parent process, and command-line executions from your | ||
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the | ||
Sysmon TA. | ||
known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. | ||
references: | ||
- https://attack.mitre.org/techniques/T1552/006/ | ||
- https://pentestlab.blog/2017/03/20/group-policy-preferences/ | ||
- https://adsecurity.org/?p=2288 | ||
- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ | ||
- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 | ||
tags: | ||
analytic_story: | ||
- Active Directory Privilege Escalation | ||
asset_type: Endpoint | ||
confidence: 80 | ||
impact: 70 | ||
message: Findstr was executed to discover GPP credentials on $dest$ | ||
mitre_attack_id: | ||
- T1552 | ||
- T1552.006 | ||
observable: | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Behavioral Analytics | ||
required_fields: | ||
- process_name | ||
- _time | ||
- dest_device_id | ||
- dest_user_id | ||
- process | ||
risk_score: 56 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log | ||
source: XmlWinEventLog |
67 changes: 67 additions & 0 deletions
67
dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
name: Windows PowerSploit GPP Discovery | ||
id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 | ||
version: 1 | ||
date: '2023-05-02' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). | ||
GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. | ||
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). | ||
While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. | ||
data_source: | ||
- Powershell 4104 | ||
search: | ||
selection1: | ||
process.cmd_line|re: 'get-gpppassword' | ||
condition: selection1 | ||
how_to_implement: To successfully implement this analytic, you will need to enable | ||
PowerShell Script Block Logging on some or all endpoints. Additional setup here | ||
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. | ||
known_false_positives: Unknown | ||
references: | ||
- https://attack.mitre.org/techniques/T1552/006/ | ||
- https://pentestlab.blog/2017/03/20/group-policy-preferences/ | ||
- https://adsecurity.org/?p=2288 | ||
- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ | ||
- https://adsecurity.org/?p=2288 | ||
- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 | ||
tags: | ||
analytic_story: | ||
- Active Directory Privilege Escalation | ||
asset_type: Endpoint | ||
confidence: 80 | ||
impact: 70 | ||
message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ | ||
mitre_attack_id: | ||
- T1552 | ||
- T1552.006 | ||
observable: | ||
- name: Computer | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: UserID | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Behavioral Analytics | ||
required_fields: | ||
- _time | ||
- EventCode | ||
- ScriptBlockText | ||
- Opcode | ||
- Computer | ||
- UserID | ||
kill_chain_phases: | ||
- Exploitation | ||
risk_score: 56 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log | ||
source: XmlWinEventLog | ||
sourcetype: XmlWinEventLog | ||
update_timestamp: true |
64 changes: 64 additions & 0 deletions
64
dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Windows PowerView AD Access Control List Enumeration | ||
id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf | ||
version: 1 | ||
date: '2023-05-02' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets | ||
are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within | ||
the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex | ||
and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged | ||
by attackers to identify and exploit configuration weaknesses. | ||
data_source: | ||
- Powershell 4104 | ||
search: | ||
selection1: | ||
process.cmd_line|re: 'get-objectacl' | ||
selection2: | ||
process.cmd_line|re: 'get-domainobjectacl' | ||
condition: selection1 or selection2 | ||
how_to_implement: To successfully implement this analytic, you will need to enable | ||
PowerShell Script Block Logging on some or all endpoints. Additional setup here | ||
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. | ||
known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. | ||
references: | ||
- https://attack.mitre.org/techniques/T1078/002/ | ||
- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 | ||
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces | ||
- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ | ||
tags: | ||
analytic_story: | ||
- Active Directory Privilege Escalation | ||
asset_type: Endpoint | ||
confidence: 50 | ||
impact: 40 | ||
message: PowerView AD acccess control list enumeration detected on $Computer$ | ||
mitre_attack_id: | ||
- T1078.002 | ||
- T1069 | ||
observable: | ||
- name: Computer | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Behavioral Analytics | ||
required_fields: | ||
- _time | ||
- EventCode | ||
- ScriptBlockText | ||
- Opcode | ||
- Computer | ||
- UserID | ||
kill_chain_phases: | ||
- Exploitation | ||
risk_score: 20 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log | ||
source: XmlWinEventLog | ||
sourcetype: XmlWinEventLog | ||
update_timestamp: true |
Oops, something went wrong.